Spear phishing is one of the most high-profile — and costly — types of cyberattacks.
Using masterful social engineering, emotional manipulation, and false identities, spear phishers convince their targets to hand over private data, wire huge sums of money, and grant access to privileged systems.
And while few still fall for the classic, generalized “Nigerian prince”-type phishing schemes, statistics show that when it comes to specialized, carefully-crafted spear phishing attacks, we’re perhaps more vulnerable than ever.
What Is Spear Phishing?
Spear phishing is a subtype of phishing, an attack in which a scammer uses a false identity to obtain confidential or sensitive information. These social engineering attacks manipulate your emotions, trust and behavior with lies, empty threats and false promises, putting you in a vulnerable state and making you more likely to fall for the scam.
But what sets spear phishing apart from other phishing and social engineering attacks is its targeted, highly specific nature.
Phishing: Casting a Wide Net
Phishing attacks can take many forms, but they all follow the same basic formula: an attacker attempts to extract valuable information, like passwords or credit card numbers, from victims by pretending to be a legitimate entity.
A phishing email may appear to come from an organization like the IRS, with a warning about a missed tax payment and a link to a fake payment website. Or a phishing text message may claim to be from Google, requesting that you reply with your password in order to protect your account from a suspicious login attempt.
Many phishing emails include attachments, which appear to be innocuous or important documents but actually contain malicious code. Once the attachment is opened, the hidden malware can scrape the victim’s hard drive for valuable data, record keystrokes or even hold the computer for ransom.
Often, urgency is emphasized: subject lines containing phrases like “immediate attention required” or “final notice” are common, as are purported 24-hour response deadlines and other panic-inducing claims. This raises victims’ anxiety and makes them more likely to act without thinking things through or verifying the legitimacy of the message.
These general phishing attacks are typically impersonal and nonspecific, addressed to “customer” or “user” and appearing to come from massive organizations like Facebook, USPS or the FBI. This approach values breadth over depth, with messages often reaching thousands of victims simultaneously.
Casting such a wide net improves the attacker’s odds of success. Even if only 1 in 1,000 people fall for the scam, it’s easy to send emails en masse to tens of thousands of people, and each victim can bring in hundreds, if not thousands, of dollars.
Spear Phishing: A Targeted Approach
Spear phishing, as its name implies, is much more focused in its strategy.
Rather than sending generic messages to scores of people, spear phishers choose a single victim and conduct detailed, personalized attacks in hopes of obtaining very specific, valuable information.
Spear phishing attacks require a good deal of research and skill, often necessitating weeks or months of preparation and reconnaissance. By obtaining and using details like personal facts, confidential knowledge and references to private conversations, attackers instill a sense of familiarity and trust in their victims, setting the stage for the rest of the scam.
As with general phishing attacks, disguises may include government agencies, banks, social media sites and other large organizations. But they can also get much more specific: spear phishers may pretend to be coworkers, bosses, neighbors, relatives, friends, friends-of-friends, doctors, personal accountants and even long-lost acquaintances.
Once the spear phisher selects and perfects their disguise, it’s often shockingly easy for them to lull their victim into a false sense of security — and quickly obtain their desired information.
Join Our Community
Spear Phishing Scenario: Infiltrating the Town Government
One day, the treasurer of a small, affluent town arrives at work to find that he’s received a new voicemail. It’s from a number he doesn’t recognize, but it is a local area code and exchange, so he presses play.
The voice on the recording says it’s Mary, the mayor’s wife. Her voice sounds a little strange and stilted, a bit more nasally than the treasurer remembers her sounding, but he doesn’t think much of it — people sound different on the phone, and she might have that nasty cold that’s been going around.
Mary says that her husband is out of town — on that fishing trip he’d been talking about at work for weeks now — and doesn’t have good cell service, but he’s asked her to log in to the town’s bank account and check something for him.
But the login credentials aren’t where he said they were, and now she can’t get him to pick up his phone. Would the treasurer mind sending the username and password to her by text — oh, and she just got a new phone number, so could he send them to the number on the voicemail, not her old one?
Mary ends the message by giving her best wishes to the treasurer’s wife and kids, mentioning them by name and sending extra good luck to the treasurer’s son on his upcoming college interview.
All of these details — the big fishing trip, the childrens’ names, the college interview, even the mayor’s disorganization — convince the treasurer that it really is Mary making the request. So he texts the username and password to her new number and goes about his day.
The Aftermath of Spear Phishing
The following day, the treasurer walks into his office and finds the mayor waiting for him there. Panicked and distraught, he says that the town’s coffers were emptied overnight: hundreds of thousands of dollars, gone.
It turns out that “Mary” wasn’t Mary after all: she was a spear phisher who had spent the past week posing as a concerned citizen, hanging around the town offices and eavesdropping on the mayor’s conversations.
She knew when he would be away on his fishing trip, knew his wife’s name, even knew that he often forgot to do things — like leave notes — that he said he would do. A quick glance at the treasurer’s public Facebook posts gave her the names of his family members and their latest life updates, like the upcoming college interview.
And once she had all that information, all it took was a burner phone and a quick voicemail for her to rob the town blind.
Key Spear Phishing Takeaways
- Spear phishing is a variety of phishing that targets specific individuals or groups rather than large swaths of the population.
- Like all phishing, spear phishing uses social engineering tactics to trick victims into believing that the attacker is someone they’re not, then handing over valuable information.
- Common disguises for spear phishers include government agencies (the IRS, the FBI), banks, social media companies, colleagues, relatives, friends and others with whom the target has a preestablished relationship.
- A spear phisher may spend an extended period of time studying and researching their target in order to make their disguise more believable.
- Spear phishers manipulate victims’ emotions, causing them to act unwisely and impulsively out of fear, panic, love, compassion, altruism or obedience.
History of Spear Phishing
Phishing in general first took off in the mid-1990s, as home computing and internet use became increasingly prevalent.
The first attacks targeted AOL customers: phishers would send emails disguised as official AOL correspondence, asking people to verify their login credentials and billing information in a reply.
Though these and similar attacks continued over the next few years, tech companies responded by developing email filters designed to detect phishing attempts and other fraudulent messages. And they, along with the mainstream media, carried out a public education campaign to help people recognize and avoid phishing scams.
By 2010, most internet users could see generic, mass-sent phishing emails for what they were, and scammers saw their success rates drop dramatically. They began switching strategies: rather than trying to ensnare large numbers of victims with bulk emails, they would conduct more elaborate attacks against specific targets with more valuable data to hand over.
Between 2010 and 2011, regular phishing emails fell from 300 billion a year to 40 billion a year. Meanwhile, spear phishing attacks increased by 300% as scammers came to recognize that, although spear phishing took more effort, the return on investment was far greater than that of regular phishing.
Spear Phishing by the Numbers
65% of all cybercrime groups rely on spear phishing as their primary means of attack.
In 2019, 88% of organizations experienced at least one spear phishing attempt, with 9% experiencing over 100 attempts.
Spear phishing attacks are highly correlated with the typical work week: 87% of attempts occur between Monday and Friday.
Over 71% of all targeted cyberattacks utilize spear phishing.
On average, a single successful spear phishing attack costs an organization $1.6 million in data loss, disrupted business, response and recovery.
Famous Spear Phishing Attacks
The Google and Facebook Spear Phishing Attack
Between 2013 and 2015, Lithuanian hacker Evaldas Rimasauskas stole over $120 million from Google and Facebook by posing as Quanta Computer, a real company that regularly contracts with both victims.
He sent the tech giants fake invoices, contracts and “official” letters, collecting millions of dollars at a time from unsuspecting employees. In 2017, he was caught and extradited to the US, where he pled guilty to wire fraud and was sentenced to 5 years in prison.
The Crelan Bank Attack
In 2016, Belgium-based Crelan Bank announced that it had lost over $75 million to a spear phishing attack. Attackers had posed as the bank’s CEO, sending emails to the finance department with instructions to wire tens of millions of dollars to an overseas account.
An internal audit flagged the transfers as suspicious, but it was already too late: the money was gone. And though the bank was able to recover from the attack with no impact on its customers, the hackers responsible were never caught.
Who Coined the Term Phishing?
The origins of the term ‘phishing’ and the concept it refers to can be traced back to the 1990s and America Online (AOL).
A group of hackers, known as the warez community, impersonated AOL employees and became known as “the first phishers.” They intended to steal login credentials and personal information from unsuspecting AOL users.
Spear phishing is a cyber attack that targets individuals or organizations using personal, often tailored emails and messages to fool recipients into disclosing confidential data such as passwords or network access codes.
Spear phishing attacks are more sophisticated than other types of phishing attempts since they leverage personal information about the target to make their messages appear more legitimate and increase the chances of success.
They often go unrecognized by standard security measures, making them particularly dangerous for organizations and end-users.
What is Spear Phishing: Difference from Phishing and Whaling (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional